US10164951B2 - Establishing secure communication over an internet of things (IoT) network - Google Patents
Establishing secure communication over an internet of things (IoT) network Download PDFInfo
- Publication number
- US10164951B2 US10164951B2 US15/961,868 US201815961868A US10164951B2 US 10164951 B2 US10164951 B2 US 10164951B2 US 201815961868 A US201815961868 A US 201815961868A US 10164951 B2 US10164951 B2 US 10164951B2
- Authority
- US
- United States
- Prior art keywords
- key
- information
- entity
- host
- receiving
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000004891 communication Methods 0.000 title claims description 46
- 238000013475 authorization Methods 0.000 claims abstract description 52
- 238000000034 method Methods 0.000 claims abstract description 43
- 230000004044 response Effects 0.000 claims abstract description 16
- 239000011159 matrix material Substances 0.000 claims description 35
- 230000015654 memory Effects 0.000 claims description 29
- 230000005540 biological transmission Effects 0.000 claims description 27
- 238000003860 storage Methods 0.000 claims description 22
- 238000004590 computer program Methods 0.000 claims description 10
- 239000000284 extract Substances 0.000 claims description 6
- 230000033001 locomotion Effects 0.000 claims description 5
- 230000007613 environmental effect Effects 0.000 claims description 4
- 238000012795 verification Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 12
- 238000012423 maintenance Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 9
- 238000012545 processing Methods 0.000 description 9
- 238000012517 data analytics Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 230000005291 magnetic effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000008867 communication pathway Effects 0.000 description 1
- 238000012864 cross contamination Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011065 in-situ storage Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000000704 physical effect Effects 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000001228 spectrum Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0431—Key distribution or pre-distribution; Key agreement
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/50—Secure pairing of devices
- H04W12/55—Secure pairing of devices involving three or more devices, e.g. group pairing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/70—Services for machine-to-machine communication [M2M] or machine type communication [MTC]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
- H04L2209/805—Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor
Definitions
- the present disclosure relates generally to communication systems, more particularly the present disclosure provides methods, systems and computer program products for establishing secure communication over an Internet of Things (IoT) network.
- IoT Internet of Things
- IoT Internet of Things
- electronic and computing devices are interconnected and enabled to communicate with one another.
- a large number of such devices implemented using IoT network are designed to operate remotely and/or autonomously, without direct human intervention.
- the advancement in the field of IoT has tremendously increased rate of exchange of data between various devices, thereby making security of IoT network an important concern.
- the security can be related to preventing unauthorized access that may inject viruses, worms and other malicious data into the IoT network.
- IoT network embedded using the Internet is very challenging.
- a loosely connected network of IoT devices comprising server, mobile platform, and remote sensor is usually bereft of an enterprise level firewall protection and thus, is prone to malicious attacks.
- a simple low cost computing device such as a sensor or an actuator cannot handle sophisticated communication protocols offering data transmission safeguards that are implemented in more sophisticated computer network.
- remote unattended devices are subjected to phishing, physical attack to disable or replace, or hacking.
- Embodiments of the present disclosure provide methods, systems and computer program products for establishing secure communication over an Internet of Things (IoT) network.
- IoT Internet of Things
- a method includes performing, by one or more processors of at least one host entity of the one or more host entities implemented in a network: storing plurality of device identifiers, each device identifier corresponding to one of plurality of devices connected in the network to allow access and to share information between the plurality of devices, said plurality of devices comprising the one or more host entities, one or more client entities and one or more key servers; storing an association between one or more devices of the plurality of devices, the association being represented as pairing of device identifiers corresponding to the one or more devices connected to over a communication link in the network; in response to an encryption key request by the at least one host entity to a key server selected from the one or more key servers, receiving an encryption key generated by the key server and a key identifier associated with said encryption key; generating a header comprising an information identifier associated with an information to be protected, the device identifier corresponding to the key server and the key identifier associated with the encryption key; encrypting said information
- the key server on receiving the encryption key request from the at least one host entity, the key server generates a key pair comprising the encryption key and a decryption key, assigns the key identifier to the encryption key and transmits said encryption key and said key identifier to the at least one host entity.
- the key server on transmission of said authorization information, said key identifier, and said header to the key server, stores the authorization information, the device identifier of the at least one host entity and the header as a record in a database.
- the at least one receiving entity on transmission of said encrypted information and the associated header to the at least one receiving entity, extracts, the key identifier and the device identifier corresponding to the key server from the header; requests, the key server, for the decryption key by transmitting the key identifier to said key server; in response to determination that the at least one receiving entity is authorized to access the encrypted information, receives the decryption key from the key server; and decrypts the encrypted information using the received decryption key.
- the determination that the at least one receiving entity is authorized to access the information is performed by the key server, by matching a record corresponding to the key identifier and verifying authorization from authorization information associated with the matched record.
- the authorization information further authorizes at least one client entity of the one or more client entities to transmit information to the at least one host entity.
- the at least one client entity transmits the information on receiving a control message from the at least one host entity.
- the authorization information is in form of a matrix comprising the device identifier of each receiving entity of the set of receiving entities authorized to access the information.
- the matrix further comprises conditional authorization information including a threshold for number of times each receiving entity of the set of receiving entities can make the request and time period for which the each receiving entity of the set of receiving entities can make the request.
- the at least one receiving entity receives the decryption key on verification of conditional authorization information.
- the key pair is generated using any of an asymmetrical key scheme or a symmetrical key scheme.
- the one or more client entities is selected from a position sensor, a motion sensor, a location sensor, an environmental sensor, or an electro-optical actuator.
- a system comprises one or more processors of at least one host entity of the one or more host entities implemented in a network; and a memory coupled to the one or more processors and comprising computer readable program code embodied in the memory that is executable by the processor to perform: storing plurality of device identifiers, each device identifier corresponding to one of plurality of devices connected in the network to allow access and to share information between the plurality of devices, said plurality of devices comprising the one or more host entities, one or more client entities and one or more key servers; storing an association between one or more devices of the plurality of devices, the association being represented as pairing of device identifiers corresponding to the one or more devices connected to over a communication link in the network; in response to an encryption key request by the at least one host entity to a key server selected from the one or more key servers, receiving an encryption key generated by the key server and a key identifier associated with said encryption key; generating a header comprising an information identifier associated with an information
- a computer program product comprises a non-transitory computer readable storage medium comprising computer readable program code embodied in the medium that is executable by one or more processors of at least one host entity of one or more host entities implemented in a network to perform: storing plurality of device identifiers, each device identifier corresponding to one of plurality of devices connected in the network to allow access and to share information between the plurality of devices, said plurality of devices comprising the one or more host entities, one or more client entities and one or more key servers; storing an association between one or more devices of the plurality of devices, the association being represented as pairing of device identifiers corresponding to the one or more devices connected to over a communication link in the network; in response to an encryption key request by the at least one host entity to a key server selected from the one or more key servers, receiving an encryption key generated by the key server and a key identifier associated with said encryption key; generating a header comprising an information identifier associated with an information to
- FIG. 1 illustrates an exemplary architecture of an ideal IoT network in accordance with an embodiment of the present disclosure.
- FIG. 2 illustrates an exemplary hierarchical topology of an IoT network according to an embodiment of the present disclosure.
- FIG. 3 is a module diagram illustrating functional units of a system to enable secure communication within an IoT network in accordance with an embodiment of the present invention.
- FIG. 4A illustrates an exemplary header generated by a host entity in accordance with an embodiment of the present disclosure.
- FIG. 4B illustrates an exemplary key record stored in database of the key server in accordance with an embodiment of the present disclosure.
- FIGS. 5A-B illustrate an examples of network architectures implementing the system in accordance with an embodiment of the present disclosure.
- FIG. 6 is a flow diagram illustrating encryption of information at the host entity in accordance with an embodiment of the present disclosure.
- FIG. 7 is a flow diagram illustrating decryption of information at the receiving entity in accordance with an embodiment of the present disclosure.
- FIG. 8 is a flow diagram illustrating transmitting of information from a client entity to a controlling host entity in accordance with an embodiment of the present disclosure.
- Embodiments of the present invention include various steps, which will be described below.
- the steps may be performed by hardware components or may be embodied in machine-executable instructions, which may be used to cause a general-purpose or special-purpose processor programmed with the instructions to perform the steps.
- steps may be performed by a combination of hardware, software, firmware and/or by human operators.
- An apparatus for practicing various embodiments of the present invention may involve one or more computers (or one or more processors within a single computer) and storage systems containing or having network access to computer program(s) coded in accordance with various methods described herein, and the method steps of the invention could be accomplished by modules, routines, subroutines, or subparts of a computer program product.
- the key server on receiving the encryption key request from the at least one host entity, the key server generates a key pair comprising the encryption key and a decryption key, assigns the key identifier to the encryption key and transmits said encryption key and said key identifier to the at least one host entity.
- the key server on transmission of said authorization information, said key identifier, and said header to the key server, stores the authorization information, the device identifier of the at least one host entity and the header as a record in a database.
- the determination that the at least one receiving entity is authorized to access the information is performed by the key server, by matching a record corresponding to the key identifier and verifying authorization from authorization information associated with the matched record.
- the authorization information further authorizes at least one client entity of the one or more client entities to transmit information to the at least one host entity.
- the at least one client entity transmits the information on receiving a control message from the at least one host entity.
- the matrix further comprises conditional authorization information including a threshold for number of times each receiving entity of the set of receiving entities can make the request and time period for which the each receiving entity of the set of receiving entities can make the request.
- the at least one receiving entity receives the decryption key on verification of conditional authorization information.
- the key pair is generated using any of an asymmetrical key scheme or a symmetrical key scheme.
- the one or more client entities is selected from a position sensor, a motion sensor, a location sensor, an environmental sensor, or an electro-optical actuator.
- a system comprises one or more processors of at least one host entity of the one or more host entities implemented in a network; and a memory coupled to the one or more processors and comprising computer readable program code embodied in the memory that is executable by the processor to perform: storing plurality of device identifiers, each device identifier corresponding to one of plurality of devices connected in the network to allow access and to share information between the plurality of devices, said plurality of devices comprising the one or more host entities, one or more client entities and one or more key servers; storing an association between one or more devices of the plurality of devices, the association being represented as pairing of device identifiers corresponding to the one or more devices connected to over a communication link in the network; in response to an encryption key request by the at least one host entity to a key server selected from the one or more key servers, receiving an encryption key generated by the key server and a key identifier associated with said encryption key; generating a header comprising an information identifier associated with an information
- a computer program product comprises a non-transitory computer readable storage medium comprising computer readable program code embodied in the medium that is executable by one or more processors of at least one host entity of one or more host entities implemented in a network to perform: storing plurality of device identifiers, each device identifier corresponding to one of plurality of devices connected in the network to allow access and to share information between the plurality of devices, said plurality of devices comprising the one or more host entities, one or more client entities and one or more key servers; storing an association between one or more devices of the plurality of devices, the association being represented as pairing of device identifiers corresponding to the one or more devices connected to over a communication link in the network; in response to an encryption key request by the at least one host entity to a key server selected from the one or more key servers, receiving an encryption key generated by the key server and a key identifier associated with said encryption key; generating a header comprising an information identifier associated with an information to
- FIG. 1 illustrates an exemplary architecture of an ideal IoT network in accordance with an embodiment of the present disclosure.
- a plurality of electronic and computing devices such as mobile devices, personal computers, cloud computing platforms, smart physical sensors, smart actuators and the likes can be connected with each other.
- computing devices 110 to 160 can be all connected with one another to form a network 100 .
- the network 100 can either be a standalone network or can form a part of network embedded in one of the different types of networks, such as Intranet, Local Area Network (LAN), Wide Area Network (WAN), Internet, and the like.
- the network 100 can either be a dedicated network or a shared network.
- the shared network can represent an association of the different types of networks that can use variety of protocols, for example, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol/Internet Protocol (TCP/IP), Wireless Application Protocol (WAP), and the like.
- HTTP Hypertext Transfer Protocol
- TCP/IP Transmission Control Protocol/Internet Protocol
- WAP Wireless Application Protocol
- maximum number of allowed connections is N(N ⁇ 1)/2.
- the network 100 comprising 6 devices can have a maximum of 15 connections.
- the maximum number of connections can be approximated to N*N/2.
- the number of possible connections can be much more than number of devices in the network, however, in practical implementation, the number of inter-connections within the network are much less as the devices are generally arranged in a hierarchical topology where one or more host entities can control controls a plurality of client entities.
- FIG. 2 illustrates an exemplary hierarchical topology of an IoT network according to an embodiment of the present disclosure.
- computing devices of an exemplary network 200 can be categorized into three categories i.e. key servers 205 , 210 and 215 , host entities 220 , 225 and 230 and client entities 235 , 240 , 245 , 250 , 255 and 260 . Said categories can be based on respective functionalities of the devices connected in the network 200 .
- the key servers 205 , 210 and 215 can generate security keys such as encryption and decryption keys in and can store said keys in respective database.
- the key server 205 , 210 and 215 can be standalone security servers in the network 200 , security servers can be embedded in any device in the network 200 , remote computer nodes outside the network 200 or virtual machines residing in outside the devices, such as cloud storage.
- the host entities 220 , 225 and 230 can be computing devices such as portable computers, personal digital assistants, handheld devices, workstations, etc that can possess sufficient processing power and memory and can be operatively coupled with a User Interface (UI) to allow human interaction.
- the host entities can be Virtual Machine (VM) devices that can be located in a cloud platform.
- the client entities 235 , 240 , 245 , 250 , 255 and 260 can be devices with limited computing power and memory and can be controlled by the host entities 220 , 225 and 230 .
- client entities 235 , 240 , 245 , 250 , 255 and 260 may not require a UI.
- the client entities 235 , 240 , 245 , 250 , 255 and 260 can be capable of reporting position.
- position data from a sensor can be combined with a time stamp to track movement of a client entity.
- an embedded multi-axis accelerometer can provide more information on nature of the motion.
- a Global Positioning System GPS
- RTLS Real Time Location System
- the client entities 235 , 240 , 245 , 250 , 255 and 260 can be equipped with a wide variety of environmental sensors to cover various types of spectrums such as audio, video, electro-magnetic, etc. Further, data from the client entities 235 , 240 , 245 , 250 , 255 and 260 can be streamed to the host entities 220 , 225 and 230 for analysis and storage. The host entities 220 , 225 and 230 can take actionable decisions based on analysis of the data derived from the client entities 235 , 240 , 245 , 250 , 255 and 260 .
- the client entities 235 , 240 , 245 , 250 , 255 and 260 can be equipped with electromechanical or electro-optical actuators to perform practical physical actions.
- said actuators can be used for controlling switching of lighting devices, air conditioners, and other appliances.
- the client entities 235 , 240 , 245 , 250 , 255 and 260 can be actuators embedded in a plurality of robots or robotics arms that can be controlled to minimize human operations.
- the client entities 235 , 240 , 245 , 250 , 255 and 260 can be disposable after performing a designed function for a fix time period.
- disposable sensors can be used for extended monitoring or situations where risk of cross-contamination is high.
- client entities 235 , 240 , 245 , 250 , 255 and 260 can be configured with plurality of sensors and actuators to enable a variety of tasks by a single device.
- the devices of the network 200 can be capable of continuously transmitting information with one another.
- the information can be defined in most general sense to include control message between devices, i.e. computer instructions, and any form of digitized data, routine operation of the network 200 .
- the key servers 205 , 210 and 215 , the host entities 220 , 225 and 230 and the client entities 235 , 240 , 245 , 250 , 255 and 260 can be virtualized generic devices that can represent a wide variety of computing, sensory and actuator devices.
- one device can be categorized into different type in different configuration.
- a mobile device can operate as a host entity in one network configuration, can operate as a key server in another configuration, and can operate as a client entity in yet another configuration.
- multiple functions can be combined in a single device.
- a computing device can operate as an integrated key server and host entity.
- embodiments of the present disclosure provides a flexibility to allow the network 200 to reconfigure itself during its operating life such that the technique for establishing a secure communication can be adapted in different network configurations.
- the number of connections in the network 200 would be much less than maximum possible connections.
- the host entities 220 and 225 can access the key servers 205 and 210 .
- the host entity 230 can be connected to the only one key server 215 , having no access to the key servers 205 and 210 .
- Each of the host entities 220 , 225 and 230 can control plurality of client entities 235 , 240 , 245 , 250 , 255 and 260 .
- the host entity 220 can control the client entities 235 , 240 , 245 and 250 .
- the host entity 225 can control the client entities 250 , 255 and 260 .
- the host entity 230 can control the client entities 255 and 260 .
- the client entities 245 and 250 can be shared and controlled by both the host entities 220 and 225 .
- the client entity 255 can be connected to and controlled by the host entities 225 and 230
- the client entity 260 can be solely controlled by the host entity 230 .
- the network configuration can be extended to an arbitrary number of key servers and host entities, and a plurality of host entities can share control of a single client entity.
- the key servers 205 , 210 and 215 can serve security keys to the host entities 220 , 225 and 230 and connected client entities 235 , 240 , 245 , 250 , 255 and 260 . Any information can be encrypted by an encryption key before transmission, and decrypted at a destination by a decryption key from the same key server.
- a host entity can request a key only from connected key server.
- the host entity 230 can only request a key from the key server 215 .
- the network can include a single key server that can provide key to all connected host entities.
- a client entity can only request a key from the key server connected to its controlling host.
- the client entity 235 can be controlled by the host entity 220 , which in turn is connected to the key server 205 and 210 . Therefore, the client entity 235 can request a key from both the key servers 205 and 210 , and not from the key server 215 .
- the request when the client entity 235 requests a key, the request can be sent to the key server 205 through the host entity 220 , and the key can be served using the same the key server 205 through the host entity 220 , therefore a need for a separate connection between the client entity 235 and the key server 205 can be integrated with the host entity 220 .
- FIG. 3 is a module diagram illustrating functional units of a system to enable secure communication within an IoT network in accordance with an embodiment of the present invention.
- the system 300 can include one or more processor(s) 302 .
- the one or more processor(s) 302 can be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, logic circuitries, and/or any devices that manipulate data based on operational instructions.
- the one or more processor(s) 302 are configured to fetch and execute computer-readable instructions stored in a memory 304 of the system 300 .
- the memory 304 can store one or more computer-readable instructions or routines, which may be fetched and executed to create or share the data units over a network service.
- the system 300 can also include an interface(s) 306 .
- the interface(s) 306 may include a variety of interfaces, for example, interfaces for data input and output devices, referred to as I/O devices, storage devices, and the like.
- the interface(s) 306 may facilitate communication of the system 300 with various devices coupled to the system 300 .
- the interface(s) 306 may also provide a communication pathway for one or more components of the system 300 . Examples of such components include, but are not limited to, processing engine(s) 310 and data 308 .
- the engine(s) 310 can be implemented as a combination of hardware and software or firmware programming (for example, programmable instructions) to implement one or more functionalities of the engine(s) 310 .
- the programming for the engine(s) may be processor executable instructions stored on a non-transitory machine-readable storage medium and the hardware for the engine(s) 310 may include a processing resource (for example, one or more processors), to execute such instructions.
- the machine-readable storage medium may store instructions that, when executed by the processing resource, implement the engine(s) 310 .
- the system 300 can include the machine-readable storage medium storing the instructions and the processing resource to execute the instructions, or the machine-readable storage medium may be separate but accessible to system 300 and the processing resource.
- the engine(s) 310 may be implemented by electronic circuitry.
- the data 308 can include data that is either stored or generated as a result of functionalities implemented by any of the components of the engine(s) 310 .
- the processing engine(s) 310 can include a network attribute maintenance module 312 , a communication module 314 , a header generation module 316 , an encryption module 318 and other module(s) 320 .
- the other module(s) 320 can implement functionalities that supplement applications or functions performed by the system 300 or the processing engine(s) 310 .
- the network attribute maintenance module 312 can enable storage of:
- the key servers of the network can also include a memory in which machine executable instructions can be stored and one or more processors connected to the memory for executing machine executable instructions that can be stored in the memory to carry out a plurality of functions.
- the attributes of the network can be defined by any of the key servers of the network and said attributes can be provided to the network attribute maintenance module 312 of the host entities of the network, such that the network attribute maintenance module 312 can enable storage of the attributes in the respective host entity.
- the network can be reconfigured by updating or editing the attributes of the network or the config file, however, such reconfiguration can be subject to constraints on computing power, UI capability, communication bandwidth and memory capacity of various devices of the network.
- the reconfiguration can be a physical reconfiguration, e.g. addition or deletion of device, a logical reconfiguration e.g. allowing or disallowing communication between key server to host entity and host entity to client entity, or reconfiguration of a mode of operation of any device e.g. configuring a host entity as a key server or combining a key server and a host entity or adding a client function to a host entity.
- the network attribute maintenance module 312 can maintain authorization information indicating receiving entities that are authorized to access the transferred information.
- the receiving entities can be any host entity or client entity to which information is transferred from the host entity implementing the system 300 .
- the authorization information can be maintained in a matrix that can be generated and updated by the using the network attribute maintenance module 312 of the transmitting host entity.
- the matrix can be generated once prior to first transmission and can be left unchanged for subsequent transmissions.
- the contents of the matrix can be changed prior to every transmission of information from the host entity.
- the matrix generated by the host entity 220 can indicate authorization information by specifying the identifiers of other host entities and client entities in the network that can be allowed to request a decryption key to the information sent by the host entity 220 .
- the plurality of host and client entities authorized by host entity 220 can maximally include host entity 225 , and client entity 235 , 240 , 245 and 250 .
- the matrix generated by the host entity 220 can shortlist one device for a single end to end transmission.
- the matrix can confer much flexibility to the host entity 220 to control intended receivers of a transmission.
- the authorized recipient devices can be constrained by the config file, hence, the host entity 220 can transmit to host entity 225 but not host entity 230 because the config file does not allow a connection between 220 and 230 .
- the client entities that can be controlled by host entity can be stored in a config file, the matrix can further specify when and under what circumstance the client entities can initiate data communication.
- the matrix can be generated by a controlling host can specify transmission of information or data from client entity when the controlling host entity requires sensor data for analysis or storage.
- the host entity 220 can control client entities 235 , 240 , 245 and 250 .
- the matrix can specify client entities being allowed to transmit data by selectively blocking transmission from certain devices.
- client entity 250 when client entity 250 is paired with host entities 220 and 225 according to the config file, but the matrix generated by host entity 220 can further specify that client 250 can transmit data to host entity 220 only, or to host entity 225 only, or to both host entities 220 and 225 .
- the matrix can further specify conditional authorization information for transmission of information from a client entity to the designated host entity.
- said authorization information can include a threshold number of times the client's designated host entity can make a request for the client to transmit data, time period for which the host entity can receive data from the client entity.
- the host entity can request an encryption key from a key server using the communication module 314 .
- the key server can be selected from one or more key servers configured in the network.
- the transmitting host entity is 230 can request an encryption key from the sole assigned key server 215 , on the other hand, if the transmitting host entity is 220 , it can request the encryption key either from key server 205 , or from key server 210 .
- the key server that provides the encryption key can be selected based on security policy of the network and may depend on network considerations such as load balancing of the key servers, immediate availability of the key server, etc. Thus, out of the multiple key servers that can serve encryption key to a requesting host entity at any given time, the selection of the key server can be determined based on the network policy.
- the header generation module 316 can generate a header that can include an information identifier that can be a random file ID associated with information to be protected before transmission, the key identifier, and device identifier of the key server that provides the encryption key.
- the header can also include other parameters such as time and date of encryption, GPS location of the key server, the internet protocol address of the key server 210 or 220 , etc.
- the encryption module 318 can encrypt the information that is required to be protected before transmission.
- the encryption module 318 can encrypt the information using the received encryption key and can associate the generated header to the encrypted information. Additionally, the encryption module 318 can generate a hash for the information before performing the encryption. This technique would be useful in verifying the integrity of the information that would be received by the receiving entity.
- the communication module 314 can transmit the encrypted information along with associated header to the receiving entity that is intended to receive the information. Further, the communication module 314 can transmit the authorization information in the form of matrix, the key identifier associated with the encryption key and the generated header to the key sever.
- an asymmetric key scheme such as RSA scheme or an elliptical key scheme can be employed that generates a key pair comprising an encryption key and a decryption key that are connected by a mathematical relationship.
- a symmetrical key scheme can be employed in which a single key can perform both encryption and decryption operation.
- the encryption key and the decryption key of the key pair would be same.
- the key sever on receiving the authorization information in the form of matrix, the key identifier associated with the encryption key and the header generated by the header generation module 316 of the system 300 of the host entity, can bind the device identifier of the host entity with header and the matrix and can store said combined device identifier of the host entity, the matrix and the header as a key record in a database that can be operatively coupled with the key server.
- the receiving entity on transmission of the encrypted information and the associated header to the receiving entity by the communication module 314 , extracts the key identifier and the device identifier corresponding to the key server from the received header. Further, the receiving entity can request the key server, identified through the device identifier obtained from the header, for decryption key. The request for the decryption key can be made using by transmitting the key identifier to said key server. Further, the key server can then determine whether the client entity is authorized to access the information or not using the matrix. Also, in response to determination that the client entity is authorized to access the encrypted information, the receiving entity can receive the decryption key from the key server and can decrypt the encrypted information using the received decryption key and the received header. The process of decryption by the receiving entity is further elaborated with reference to FIG. 7 .
- FIG. 4A illustrates an exemplary header generated by a host entity in accordance with an embodiment of the present disclosure.
- the encrypted information 410 can be associated with a header 420 .
- the header can contain an information identifier represented by file ID and a key identifier represented by key ID, both of which can be randomly generated and thus be mathematically unique.
- the header 420 can include device identifier of the key server i.e. the key server ID that can be utilized to trace the key server by the receiving entity.
- FIG. 4B illustrates an exemplary key record stored in database of the key server in accordance with an embodiment of the present disclosure.
- the key server can include a database 460 to store records that can be utilized for transmission of information.
- An exemplary key record 470 can include device identifier of the host entity transmitting the information represented by Host ID, hash of the header generated by the host entity and transmitted to the key server represented by header hash, association information provided by the host entity represent by matrix and header generated by the host entity.
- the plurality of key records stored in the database can provide a complete history of how information is generated, manipulated and operated upon by various devices within the network.
- Big Data Analytics can be applied to data from the databases of the various key servers wherein the time history of key serving, and the history of all the matrices can be provided as an input to Big Data Analytics to evaluate efficiency of the network.
- FIGS. 5A-B illustrate an examples of network architectures implementing the system in accordance with an embodiment of the present disclosure.
- FIG. 5A illustrates an exemplary implementation of the system in mobile devices to establish secure communication in accordance with an embodiment of the present disclosure.
- the network 500 can be utilized to allow secure telephonic communication between two users.
- the network 500 can include a key server 505 , two mobile devices 510 and 515 that can be operated as host entities, and two wireless headsets 520 and 525 that can be operated as client entities.
- the wireless headsets can be used by the users for speaking and listening.
- voice data can be converted in to digital Pulse Code Modulation (PCM) in situ in 520 .
- PCM digital Pulse Code Modulation
- the mobile device 510 can request the encryption key from the key server 510 to encrypt the voice file and can erase the clear text voice file.
- PCM Pulse Code Modulation
- the encrypted voice file can be transmitted to the mobile device 515 .
- the receiving mobile phone 515 can receive the encrypted voice file, and sends it wirelessly to the wireless headphone 525 .
- the wireless headphone 525 can request a decryption key from key server 505 and can decrypt the voice file and can play it to the user of mobile phone 515 . This process can be repeated to allow a secure conversation. For the purpose of record, only encrypted information can be stored and unencrypted text voice files can be erased.
- FIG. 5B illustrates an exemplary implementation of the system for controlling of a plurality of sensors in accordance with an embodiment of the present disclosure.
- host entity 560 can be a home gateway that can access, control and collect data from a plurality of sensors and actuators 575 - 1 , 575 - 2 , . . . , 575 -N that can be installed within residence of a user.
- the sensors and actuators 575 - 1 , 575 - 2 , . . . , 575 -N can be the client entities that can receive command from the host entity 560 .
- sensor collected data can be routed to and aggregated by the host entity 560 .
- Aggregated data can be sent to the host entity 565 to be subjected to big data analytics.
- a cloud platform 570 can store the data sent by 565 . It would be appreciated that the data stored in the cloud platform 570 would be in encrypted form, with decryption key stored in the key server 555 , thus ensuring security of the stored data.
- the key server 555 can serve the encryption/decryption keys to the devices and can also be used for archiving operational history of key serving and storage. All keys served to the client entities 575 - 1 , 575 - 2 , . . . , 575 -N can be routed through the host entity 560 .
- sensor data from the client devices can be encrypted before routing to the gateway 560 .
- FIG. 6 is a flow diagram illustrating encryption of information at the host entity in accordance with an embodiment of the present disclosure.
- the process to encrypt data at the host entity can be initiated at block 602 where the host entity requests an encryption key from a key server.
- the key server can be selected from one or more key servers connected to the host entity based on security policy of the network. It would be appreciated that, the device identifier of the key server, i.e., the key server ID would be bound to both the encryption key and the encrypted file ensuring that when the receiving device requires to decrypt the information, the receiving device can know which key server to make the request for the decryption key.
- the key server can generate a key pair comprising an encryption key and a decryption key according to a preselected algorithm.
- the key server can also generate a random and unique key identifier and can associate the generated key identifier with the encryption key. Further, the key server can transmit the encryption key and the associated key identifier to the host entity.
- the host entity can receive the encryption key and the associated the key identifier from the key server. Further, at block 606 , the host entity can generate a header that can include the key identifier, the device identifier of the key server from which the encryption key is received and an information identifier associated with the information to be protected for example, a random file ID. The header can also include parameters such as time and date of encryption, GPS location of the key server, the Internet Protocol (IP) address of the key server, etc. Additionally, the host entity can generate a hash for the information to be encrypted that can be used to verify the integrity of the decrypted file at the receiving end.
- IP Internet Protocol
- the host entity can encrypt the information using the received encryption key and can associate the generated header with the encrypted information.
- the host entity can transmit the encrypted information and the associated header to a receiving entity.
- the host entity can transmit the key identifier associated with the encryption key used to encrypt information and the header along with the authorization information to the key server.
- the authorization information can be in the form of the matrix indicating receiving entities, which are authorized to access the transmitted information.
- the host entity can transmit a header hash instead of the header to the key server.
- the key server can bind the header with device identifier of the host entity and the authorization information together, and can store the combined information as one record in a database operatively coupled with the key server. Lastly, the original information in the host entity can be erased, such that only encrypted information can be available for further use.
- FIG. 7 is a flow diagram illustrating decryption of information at the receiving entity in accordance with an embodiment of the present disclosure.
- the process to decrypt the information at the receiving entity can be initiated at block 702 , where the receiving entity can receive the encrypted information along with the header associated with the encrypted information.
- the receiving entity can extract the key identifier and device identifier of the key server from the header such that a request for decryption key can be made to corresponding key server having the extracted device identifier at block 706 .
- the request for decryption key can be made to the key server by transmitting the extracted key identifier to the key server.
- the key server can locates the key record using the key identifier, thereby, the key sever can check the matrix indicating authorization information to determine whether the receiving entity is authorized to access the information or not.
- the key server can make said determination based on multiple criteria based on the matrix to approve or disapprove releasing the decryption key to the receiving entity.
- the multiple criteria can include whether the receiving entity is in the list of approved receiving entities provided by the host entity, whether the request does not exceed the threshold of number of times the decryption key can be released to the receiving device, and whether the releasing of the decryption key is within an approved time period.
- the key server releases the decryption key and the receiving entity receives the decryption key that can be used to decrypt the encrypted information.
- the receiving entity can receive the decryption key as well as the header hash from the key server.
- the receiving entity can receive header hash information that can include header hash and hash method, the receiving can to generate a new header hash with the hash method and compare the new header hash and the header hash received in the header hash information from the key server so as to verify the integrity of the header associated with the encrypted information.
- the receiving entity can regenerate the hash from the header to compare with the received hash in case the receiving entity has received the encrypted information by hashing the information that was required to be protected.
- the receiving entity can determine if the hashes match. Matching of the two hashes can indicate the encrypted information is the correct one and un-corrupted. Further at block 716 , said encrypted information would be decrypted. Further, the decrypted information can be retained for a specific time period that can be indicated in the matrix and at block 718 , the decrypted information can be erased.
- the decrypted information is a computer instruction for a receiving entity such as a client entity to perform certain task
- the information can be deleted after execution by the client entity.
- the time limit for erasing the decrypted information is automatically determined.
- the technique of erasing the decrypted information after an appropriate time limit ensures that a minimum amount of data resides in the network.
- a failure to match the two hashes can switch the receiving device 720 into a No-Operation NOP state, such that the receiving entity can wait for further instructions from the host device.
- FIG. 8 is a flow diagram illustrating transmitting of information from a client entity to a controlling host entity in accordance with an embodiment of the present disclosure.
- the process of transmission and encryption by a receiving device such as the client entity controlled by the host device can be initiated a block 802 where the client entity can receive an encrypted information and associated header from the host device that can be an encrypted control message instruction to transmit information.
- the host entity can set up the matrix such that the client entity is provided an authorized access.
- the client entity can decrypt the encrypted control message by extracting the key identifier and device identifier of the key server to decrypt the encrypted information.
- the control message is an instruction to transmit the information by the client entity.
- the client entity can now be operated as a transmitting entity and can follow a process similar to a process of performing encryption by the host entity.
- the client entity can request encryption key from the key server corresponding to the device identifier extracted from the header.
- the client entity can receive an encryption key and an associated key identifier from the key server.
- the client entity can generate the header comprising of information identifier, the key identifier, and the device identifier of the key server.
- the header can also contain other parameters such as time and date of encryption, GPS or RTLS location and the like.
- the client entity can generate a hash for the information to be encrypted. Further, the client entity can encrypt the information and can associate the encrypted information with the header.
- the client entity can transmit the encrypted information and the associated header to the receiving device that can be the host entity that issued the encrypted control message. Further at block 814 , the entity can transmit the key identifier and the header or the header hash to the key server.
- the key server can retrieve the matrix generated by the host entity and can bind said matrix, device identifier of the client entity, the header, and stores it as a key record.
- the host entity send a control message to the client entity to transmit information, and subsequently both the client entity and the key server entity observes the matrix that was generated by host entity.
- the three devices i.e. the host entity, the key server and the client entity.
- An adherence to the key serving and header, and key record protocol is required as the client entity cannot operate independently and the host entity performs legitimate controlling of the client entity. Therefore, embodiments of the present disclosure provide a technique that can allow devices of a network to operate autonomously for a prolonged period of time.
- a host entity during network initialization or network rebooting, it is important for a host entity to send an instruction to a client entity.
- the first instruction from the host entity would let the client entity know the reporting host entity, and by inference, which key server should be requested to receive the encryption key from when the client entity receives an instruction to transmit, in accordance to the matrix generated by host entity.
- the client entity can make un-prompted status report after the host entity sends detailed instruction to the frequency of reporting, which can stored in memory of the client entity.
- all sensitive data flow between various devices within a network can be encrypted.
- All control messages e.g. computer command instructions can be encrypted, and computer instruction execution by any device would not be allowed unless the control message is successfully decrypted.
- the present disclosure provides secure communications between various devices of the network.
- Embodiments of the present disclosure may be implemented entirely hardware, entirely software (including firmware, resident software, micro-code, etc.) or combining software and hardware implementation that may all generally be referred to herein as a “circuit,” “module,” “component,” or “system.” Furthermore, aspects of the present disclosure may take the form of a computer program product comprising one or more computer readable media having computer readable program code embodied thereon.
- Coupled to is intended to include both direct coupling (in which two elements that are coupled to each other contact each other) and indirect coupling (in which at least one additional element is located between the two elements). Therefore, the terms “coupled to” and “coupled with” are used synonymously. Within the context of this document terms “coupled to” and “coupled with” are also used euphemistically to mean “communicatively coupled with” over a network, where two or more devices are able to exchange data with each other over the network, possibly via one or more intermediary device.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Medical Informatics (AREA)
- Telephonic Communication Services (AREA)
Abstract
Description
-
- a. The device identifiers of
key servers - b. The device identifiers of
host entities - c. The device identifiers of one or a plurality of key servers assigned to each host entity.
Host entity 220 has assignedkey servers Host entity 225 has assignedkey servers Host entity 230 has only one assignedkey server 215; - d. The device identifiers of
client entities - e. The device identifiers of one or a plurality of host entities the assigned client entities. For example,
clients host entity 220,client entities host entity 225, andclient entities host entity 230. Thusclient entity 250 is shared by twohost entities client entity 255 is shared byhost entities
- a. The device identifiers of
Claims (18)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/961,868 US10164951B2 (en) | 2017-04-25 | 2018-04-24 | Establishing secure communication over an internet of things (IoT) network |
US16/198,876 US10423802B2 (en) | 2017-04-25 | 2018-11-23 | Establishing data security over an internet of things (IoT) network |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201762490019P | 2017-04-25 | 2017-04-25 | |
US15/961,868 US10164951B2 (en) | 2017-04-25 | 2018-04-24 | Establishing secure communication over an internet of things (IoT) network |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/198,876 Continuation-In-Part US10423802B2 (en) | 2017-04-25 | 2018-11-23 | Establishing data security over an internet of things (IoT) network |
Publications (2)
Publication Number | Publication Date |
---|---|
US20180309734A1 US20180309734A1 (en) | 2018-10-25 |
US10164951B2 true US10164951B2 (en) | 2018-12-25 |
Family
ID=63854204
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/961,868 Active US10164951B2 (en) | 2017-04-25 | 2018-04-24 | Establishing secure communication over an internet of things (IoT) network |
Country Status (3)
Country | Link |
---|---|
US (1) | US10164951B2 (en) |
CN (1) | CN110785985A (en) |
WO (1) | WO2018196758A1 (en) |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11153172B2 (en) * | 2018-04-30 | 2021-10-19 | Oracle International Corporation | Network of nodes with delta processing |
US11228433B2 (en) * | 2018-07-02 | 2022-01-18 | Baskaran Dharmarajan | Cloud based multi-key authorization based system |
US11038698B2 (en) | 2018-09-04 | 2021-06-15 | International Business Machines Corporation | Securing a path at a selected node |
US11991273B2 (en) | 2018-09-04 | 2024-05-21 | International Business Machines Corporation | Storage device key management for encrypted host data |
US11088829B2 (en) * | 2018-09-04 | 2021-08-10 | International Business Machines Corporation | Securing a path at a node |
FR3103071B1 (en) * | 2019-11-12 | 2023-01-27 | Airbus Cybersecurity Sas | Secure communication method |
US11165588B1 (en) * | 2020-04-09 | 2021-11-02 | International Business Machines Corporation | Key attribute verification |
CN112737700B (en) * | 2020-12-21 | 2021-11-16 | 武汉船舶通信研究所(中国船舶重工集团公司第七二二研究所) | Data encryption and decryption method and device, encryption equipment and storage medium |
US11520918B2 (en) * | 2021-02-03 | 2022-12-06 | Microsoft Technology Licensing, Llc | Protection for restricted actions on critical resources |
CN113065841A (en) * | 2021-03-10 | 2021-07-02 | 广西东信易联科技有限公司 | Life cycle management method and system of Internet of things embedded equipment |
CN113905258B (en) * | 2021-09-08 | 2023-11-03 | 鹏城实验室 | Video playing method, network device and storage medium |
JP2023042903A (en) * | 2021-09-15 | 2023-03-28 | 株式会社東芝 | Communication apparatus, communication method and communication system |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090106550A1 (en) | 2007-10-20 | 2009-04-23 | Blackout, Inc. | Extending encrypting web service |
US20120170743A1 (en) | 2010-12-31 | 2012-07-05 | Motorola, Inc. | Methods for establishing a secure point-to-point call on a trunked network |
US8279777B2 (en) | 2005-07-18 | 2012-10-02 | Stewart Ian A | Method for secure reliable point to multi-point bi-directional communications |
WO2014036977A1 (en) | 2012-09-10 | 2014-03-13 | Nwstor Limited | Data security management system |
US9003177B2 (en) | 2001-03-27 | 2015-04-07 | Micron Technology, Inc. | Data security for digital data storage |
US9178694B2 (en) | 2009-04-29 | 2015-11-03 | Empire Technology Development Llc | Securing backing storage data passed through a network |
US20160021529A1 (en) * | 2014-07-17 | 2016-01-21 | Samsung Electronics Co., Ltd. | Method and device for updating profile management server |
WO2017081208A1 (en) * | 2015-11-13 | 2017-05-18 | Cassidian Cybersecurity Sas | Method for securing and authenticating a telecommunication |
US20180034913A1 (en) * | 2016-07-28 | 2018-02-01 | Citrix Systems, Inc. | System and method for controlling internet of things devices using namespaces |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101715638A (en) * | 2007-03-20 | 2010-05-26 | 迪姆威奇软件有限责任公司 | Secure electronic messaging system requiring key retrieval for deriving decryption key |
KR20100133953A (en) * | 2007-12-21 | 2010-12-22 | 코쿤 데이터 홀딩스 리미티드 | System and method for securing data |
CN102142974B (en) * | 2010-01-28 | 2015-05-13 | 中兴通讯股份有限公司 | Method and system for authorizing management of terminals of internet of things |
JP6190188B2 (en) * | 2013-07-05 | 2017-08-30 | クラリオン株式会社 | Information distribution system and server, in-vehicle terminal, communication terminal used therefor |
US9769133B2 (en) * | 2014-11-21 | 2017-09-19 | Mcafee, Inc. | Protecting user identity and personal information by sharing a secret between personal IoT devices |
US9935950B2 (en) * | 2015-01-12 | 2018-04-03 | Verisign, Inc. | Systems and methods for establishing ownership and delegation ownership of IOT devices using domain name system services |
CN106059869B (en) * | 2016-07-26 | 2019-06-18 | 北京握奇智能科技有限公司 | A kind of internet of things intelligent household equipment safety control method and system |
-
2018
- 2018-04-24 US US15/961,868 patent/US10164951B2/en active Active
- 2018-04-24 WO PCT/CN2018/084302 patent/WO2018196758A1/en active Application Filing
- 2018-04-24 CN CN201880042180.6A patent/CN110785985A/en active Pending
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9003177B2 (en) | 2001-03-27 | 2015-04-07 | Micron Technology, Inc. | Data security for digital data storage |
US8279777B2 (en) | 2005-07-18 | 2012-10-02 | Stewart Ian A | Method for secure reliable point to multi-point bi-directional communications |
US20090106550A1 (en) | 2007-10-20 | 2009-04-23 | Blackout, Inc. | Extending encrypting web service |
US8825999B2 (en) * | 2007-10-20 | 2014-09-02 | Blackout, Inc. | Extending encrypting web service |
US9178694B2 (en) | 2009-04-29 | 2015-11-03 | Empire Technology Development Llc | Securing backing storage data passed through a network |
US20120170743A1 (en) | 2010-12-31 | 2012-07-05 | Motorola, Inc. | Methods for establishing a secure point-to-point call on a trunked network |
US8724812B2 (en) * | 2010-12-31 | 2014-05-13 | Motorola Solutions, Inc. | Methods for establishing a secure point-to-point call on a trunked network |
WO2014036977A1 (en) | 2012-09-10 | 2014-03-13 | Nwstor Limited | Data security management system |
US20150244684A1 (en) * | 2012-09-10 | 2015-08-27 | Nwstor Limited | Data security management system |
US20160021529A1 (en) * | 2014-07-17 | 2016-01-21 | Samsung Electronics Co., Ltd. | Method and device for updating profile management server |
WO2017081208A1 (en) * | 2015-11-13 | 2017-05-18 | Cassidian Cybersecurity Sas | Method for securing and authenticating a telecommunication |
US20180034913A1 (en) * | 2016-07-28 | 2018-02-01 | Citrix Systems, Inc. | System and method for controlling internet of things devices using namespaces |
Also Published As
Publication number | Publication date |
---|---|
CN110785985A (en) | 2020-02-11 |
WO2018196758A1 (en) | 2018-11-01 |
US20180309734A1 (en) | 2018-10-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10164951B2 (en) | Establishing secure communication over an internet of things (IoT) network | |
US10423802B2 (en) | Establishing data security over an internet of things (IoT) network | |
Geller et al. | 5G security innovation with Cisco | |
US9374345B2 (en) | Transparent encryption/decryption gateway for cloud storage services | |
US11487573B2 (en) | Systems and method for automating security workflows in a distributed system using encrypted task requests | |
CA3123369C (en) | Secure connection established with the use of routing tokens | |
US10044760B2 (en) | Policy rule based on a requested behavior | |
CN111193698B (en) | Data processing method, device, terminal and storage medium | |
US11489853B2 (en) | Distributed threat sensor data aggregation and data export | |
US20210344690A1 (en) | Distributed threat sensor analysis and correlation | |
US20230273853A1 (en) | Securing an application based on auto-learning and auto-mapping of application services and apis | |
CN110537181B (en) | Method for classifying application data, computing device and storage medium | |
CN104683477B (en) | A kind of shared file operation filter method based on SMB agreements | |
US20170104639A1 (en) | Management-as-a-Service for On-Premises Information-Technology Systems | |
US20060184784A1 (en) | Method for secure transference of data | |
US10601788B2 (en) | Interception of secure shell communication sessions | |
US11929990B1 (en) | Dynamic management of servers based on environmental events | |
CN111970281B (en) | Routing equipment remote control method and system based on verification server and electronic equipment | |
KR102024267B1 (en) | Elastic intrusion detection system and method for managing the same | |
Sridharan | Track Your Track (TYT) | |
KR102176430B1 (en) | Restoration automation apparatus and control method thereof | |
WO2021221930A1 (en) | Threat sensor deployment and management | |
WO2024073843A1 (en) | Systems and methods for establishing a secure digital network environment | |
KR20170085673A (en) | Communication service system and method for managingsecurity of a service server and communicationequipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: MICROENTITY |
|
AS | Assignment |
Owner name: SKY1 TECHNOLOGY LIMITED, HONG KONG Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:YU, KENNETH KEUNG YUM;NG, CHAN YIU;REEL/FRAME:045628/0157 Effective date: 20180420 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO MICRO (ORIGINAL EVENT CODE: MICR); ENTITY STATUS OF PATENT OWNER: MICROENTITY |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
CC | Certificate of correction | ||
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, MICRO ENTITY (ORIGINAL EVENT CODE: M3551); ENTITY STATUS OF PATENT OWNER: MICROENTITY Year of fee payment: 4 |
|
AS | Assignment |
Owner name: NG, CHAN YIU, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SKY1 TECHNOLOGY LIMITED;REEL/FRAME:066690/0129 Effective date: 20240221 Owner name: YU, KENNETH KEUNG YUM, HONG KONG Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SKY1 TECHNOLOGY LIMITED;REEL/FRAME:066690/0129 Effective date: 20240221 |